Date: Sat, 7 Oct 2023 10:30:45 +0000 From: "Bas v.d. Wiel" <bas@area536.com> To: freebsd-net@freebsd.org Subject: In-kernel ipfw NAT and port ranges Message-ID: <0102018b09b08518-1c479f58-a7a5-4ed4-9295-a1096b7fb9fe-000000@eu-west-1.amazonses.com>
next in thread | raw e-mail | index | archive | help
--=_445526c2f1f39b201276e0cd387df0c0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed Hello all, After an hour of googling I turned up empty so I decided to post here. I'm running a server with a single IPv4 address and a number of VNET jails. The jails all have RFC1918 addresses and are connected to a bridge. Pretty standard stuff and everything works, including individual port redirection. The problem now: passive FTP. I would like to NAT a range of high ports to an FTP jail on the inside. The jail lives at 10.20.0.17 and runs a low traffic anonymous FTP server for public use. Configuring the NAT to redirect ports 20 and 21 there individually works just fine. In order to also forward ports 63000-65000 there (the passvie high-port range as configured on the FTP server), I run into errors when trying to use redirect_port with a range. So this part of the NAT config works fine: redirect_port tcp 10.20.0.17:21 21 While this bit runs into errors: redirect_port tcp 10.20.0.17:63000-65000 63000-65000 I looked at the source code and it seems that the in-kernel NAT indeed doesn't permit passing in port ranges for redirection. Is this true? And if so, what would my options be? I'm trying to run as few services as possible on the host itself, so I'd prefer to not run FTP proxies on there unless that really is the best way forward. My other option seems to be natd. Any help or insights would be much appreciated! Bas --=_445526c2f1f39b201276e0cd387df0c0 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=UTF-8 <html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; charset= =3DUTF-8" /></head><body style=3D'font-size: 10pt; font-family: Verdana,Gen= eva,sans-serif'> <p>Hello all,</p> <p>After an hour of googling I turned up empty so I decided to post here. I= 'm running a server with a single IPv4 address and a number of VNET jails. = The jails all have RFC1918 addresses and are connected to a bridge. Pretty = standard stuff and everything works, including individual port redirection.= </p> <p>The problem now: passive FTP. I would like to NAT a range of high ports = to an FTP jail on the inside. The jail lives at 10.20.0.17 and runs a low t= raffic anonymous FTP server for public use. Configuring the NAT to redirect= ports 20 and 21 there individually works just fine. In order to also forwa= rd ports 63000-65000 there (the passvie high-port range as configured on th= e FTP server), I run into errors when trying to use redirect_port with a ra= nge.</p> <p>So this part of the NAT config works fine:</p> <p><span style=3D"font-family: monospace;"><span style=3D"color: #000000; b= ackground-color: #ffffff;">redirect_port tcp 10.20.0.17:21 21</span><br /><= /span></p> <p><span style=3D"font-family: monospace;">While this bit runs into errors:= </span></p> <p><span style=3D"font-family: monospace;"><span style=3D"color: #000000; b= ackground-color: #ffffff;">redirect_port tcp 10.20.0.17:63000-65000 63000-6= 5000</span><br /></span></p> <p>I looked at the source code and it seems that the in-kernel NAT indeed d= oesn't permit passing in port ranges for redirection. Is this true? And if = so, what would my options be? I'm trying to run as few services as possible= on the host itself, so I'd prefer to not run FTP proxies on there unless t= hat really is the best way forward. My other option seems to be natd.</p> <p>Any help or insights would be much appreciated!</p> <p>Bas</p> </body></html> --=_445526c2f1f39b201276e0cd387df0c0--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0102018b09b08518-1c479f58-a7a5-4ed4-9295-a1096b7fb9fe-000000>